linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH net] net: dsa: Fix stale cpu_switch reference after unbind then bind
@ 2017-06-03  5:05 Florian Fainelli
  2017-06-03 17:50 ` Vivien Didelot
  2017-06-05  2:57 ` David Miller
  0 siblings, 2 replies; 3+ messages in thread
From: Florian Fainelli @ 2017-06-03  5:05 UTC (permalink / raw)
  To: netdev
  Cc: Florian Fainelli, Andrew Lunn, Vivien Didelot, David S. Miller,
	open list

Commit 9520ed8fb841 ("net: dsa: use cpu_switch instead of ds[0]")
replaced the use of dst->ds[0] with dst->cpu_switch since that is
functionally equivalent, however, we can now run into an use after free
scenario after unbinding then rebinding the switch driver.

The use after free happens because we do correctly initialize
dst->cpu_switch the first time we probe in dsa_cpu_parse(), then we
unbind the driver: dsa_dst_unapply() is called, and we rebind again.
dst->cpu_switch now points to a freed "ds" structure, and so when we
finally dereference it in dsa_cpu_port_ethtool_setup(), we oops.

To fix this, simply set dst->cpu_switch to NULL in dsa_dst_unapply()
which guarantees that we always correctly re-assign dst->cpu_switch in
dsa_cpu_parse().

Fixes: 9520ed8fb841 ("net: dsa: use cpu_switch instead of ds[0]")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
---
David, please queue this up for 4.11-stable as well, thanks!

 net/dsa/dsa2.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/dsa/dsa2.c b/net/dsa/dsa2.c
index 033b3bfb63dc..7796580e99ee 100644
--- a/net/dsa/dsa2.c
+++ b/net/dsa/dsa2.c
@@ -484,8 +484,10 @@ static void dsa_dst_unapply(struct dsa_switch_tree *dst)
 		dsa_ds_unapply(dst, ds);
 	}
 
-	if (dst->cpu_switch)
+	if (dst->cpu_switch) {
 		dsa_cpu_port_ethtool_restore(dst->cpu_switch);
+		dst->cpu_switch = NULL;
+	}
 
 	pr_info("DSA: tree %d unapplied\n", dst->tree);
 	dst->applied = false;
-- 
2.9.3

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH net] net: dsa: Fix stale cpu_switch reference after unbind then bind
  2017-06-03  5:05 [PATCH net] net: dsa: Fix stale cpu_switch reference after unbind then bind Florian Fainelli
@ 2017-06-03 17:50 ` Vivien Didelot
  2017-06-05  2:57 ` David Miller
  1 sibling, 0 replies; 3+ messages in thread
From: Vivien Didelot @ 2017-06-03 17:50 UTC (permalink / raw)
  To: Florian Fainelli, netdev
  Cc: Florian Fainelli, Andrew Lunn, David S. Miller, open list

Hi Florian,

Florian Fainelli <f.fainelli@gmail.com> writes:

> Commit 9520ed8fb841 ("net: dsa: use cpu_switch instead of ds[0]")
> replaced the use of dst->ds[0] with dst->cpu_switch since that is
> functionally equivalent, however, we can now run into an use after free
> scenario after unbinding then rebinding the switch driver.
>
> The use after free happens because we do correctly initialize
> dst->cpu_switch the first time we probe in dsa_cpu_parse(), then we
> unbind the driver: dsa_dst_unapply() is called, and we rebind again.
> dst->cpu_switch now points to a freed "ds" structure, and so when we
> finally dereference it in dsa_cpu_port_ethtool_setup(), we oops.
>
> To fix this, simply set dst->cpu_switch to NULL in dsa_dst_unapply()
> which guarantees that we always correctly re-assign dst->cpu_switch in
> dsa_cpu_parse().
>
> Fixes: 9520ed8fb841 ("net: dsa: use cpu_switch instead of ds[0]")
> Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>

Reviewed-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>

Thanks!

        Vivien

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH net] net: dsa: Fix stale cpu_switch reference after unbind then bind
  2017-06-03  5:05 [PATCH net] net: dsa: Fix stale cpu_switch reference after unbind then bind Florian Fainelli
  2017-06-03 17:50 ` Vivien Didelot
@ 2017-06-05  2:57 ` David Miller
  1 sibling, 0 replies; 3+ messages in thread
From: David Miller @ 2017-06-05  2:57 UTC (permalink / raw)
  To: f.fainelli; +Cc: netdev, andrew, vivien.didelot, linux-kernel

From: Florian Fainelli <f.fainelli@gmail.com>
Date: Fri,  2 Jun 2017 22:05:23 -0700

> Commit 9520ed8fb841 ("net: dsa: use cpu_switch instead of ds[0]")
> replaced the use of dst->ds[0] with dst->cpu_switch since that is
> functionally equivalent, however, we can now run into an use after free
> scenario after unbinding then rebinding the switch driver.
> 
> The use after free happens because we do correctly initialize
> dst->cpu_switch the first time we probe in dsa_cpu_parse(), then we
> unbind the driver: dsa_dst_unapply() is called, and we rebind again.
> dst->cpu_switch now points to a freed "ds" structure, and so when we
> finally dereference it in dsa_cpu_port_ethtool_setup(), we oops.
> 
> To fix this, simply set dst->cpu_switch to NULL in dsa_dst_unapply()
> which guarantees that we always correctly re-assign dst->cpu_switch in
> dsa_cpu_parse().
> 
> Fixes: 9520ed8fb841 ("net: dsa: use cpu_switch instead of ds[0]")
> Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>

Applied and queued up for -stable, thanks.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-06-05  2:57 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-06-03  5:05 [PATCH net] net: dsa: Fix stale cpu_switch reference after unbind then bind Florian Fainelli
2017-06-03 17:50 ` Vivien Didelot
2017-06-05  2:57 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).